Group Policy Blog by Darren Mar-Elia (The “GPOGUY”)
The Attack of the Trojan GPOs
The story of the Trojan Horse is well known to everyone who has taken a history class. True or not, the story goes that the Greeks, in an effort to finally sack the city of Troy, construct a giant wooden horse with some of their top soldiers hidden inside. They wheel...
Understanding Group Policy Privilege Escalation in CVE-2020-1317
Earlier this month, Microsoft released an advisory for CVE-2020-1317 which describes a privilege escalation vulnerability in Group Policy. This was further detailed by the discoverer of the vulnerability on the Cyberark website. The nature of this issue is interesting...
Quirks in Restricted Groups Policy on AD Groups
About a year ago, I posted about the perils of granting someone write access on the Active Directory Domain NC "head" object, and how you could use that and some quirks in Restricted Groups policy to essentially elevate your access in AD, just based on being able to...
Understanding the Registry Policy Archive File
One of the advantages of messing around with Group Policy since before it shipped, is that there is a lot of stuff rattling around in my head that I've been re-thinking in the context of today's modern threat landscape. This allows me to think about current day...
Hijacking Administrative Templates
As I think about Group Policy as a target for attackers, there are many obvious avenues to take advantage of a poorly protected GP infrastructure. I've written about many of these here:...
What Does Group Policy Do When It Can’t Contact a DC?
The title of this blog tells it all. I got asked the question--what happens to GP processing when a client machine isn't on the network and can't connect to it's domain Domain Controllers (DCs)? Does policy get removed? Does it just stay where it is? Can I temporarily...
Sending GPOs Down the Wrong Track–Redirecting the GPT
At this blog title implies, this is a bit of a science experiment. Many years ago I played around with this idea that, there is nothing in the GP infrastructure that REQUIRES you to use SYSVOL to store the settings files that compose most in-the-box policy areas. At...
Group Policy Security– Tinkering with External Paths
If you've been following this blog, you know that about 2 and half years ago, I started talking about Group Policy's precarious role in the typical enterprise's security posture. Many, if not most, AD shops use GP to perform security hardening on their Windows...
Speaking in Chicago Next Month!
Hey folks! Just a quick note that I'm giving a talk next month in Chicago. This is a follow-on to the Semperis Hybrid Identity Protection (HIP) Conference that I spoke at last November. This Chicago "Tech Day" event is a one-day event on March 13th in downtown...
Group Policy Storage Whitepaper Updated!
Hey Folks. It's been too long since I posted here, so I thought I'd break my fast by posting something a bit meaty. Many moons ago, I created a whitepaper, which is on the Gpoguy portion of this site, that described how and where the various areas in Group Policy...